Security Bulletins

Disclosed security vulnerabilities and their mitigation.

DisclosureDateAffected ReleasesImpact ScoreRelated
ISTIO-SECURITY-2020-011November 21, 20201.8.0
N/AEnvoy incorrectly restores the proxy protocol downstream address for non-HTTP connections
ISTIO-SECURITY-2020-010September 29, 20201.6 to 1.6.10
1.7 to 1.7.2
8.3
ISTIO-SECURITY-2020-009August 11, 20201.5 to 1.5.8
1.6 to 1.6.7
6.8Incorrect Envoy configuration for wildcard suffixes used for Principals/Namespaces in Authorization Policies for TCP Services
ISTIO-SECURITY-2020-008July 9, 20201.5 to 1.5.7
1.6 to 1.6.4
All releases prior to 1.5
6.6Incorrect validation of wildcard DNS Subject Alternative Names
ISTIO-SECURITY-2020-007June 30, 20201.5 to 1.5.6
1.6 to 1.6.3
7.5Multiple denial of service vulnerabilities in Envoy
ISTIO-SECURITY-2020-006June 11, 20201.4 to 1.4.9
1.5 to 1.5.4
1.6 to 1.6.1
7.5Denial of service in the HTTP2 library used by Envoy
ISTIO-SECURITY-2020-005May 12, 20201.4 to 1.4.8
1.5 to 1.5.3
7.5Denial of service affecting telemetry v2
ISTIO-SECURITY-2020-004March 25, 20201.4 to 1.4.6
1.5
8.7Default Kiali security configuration allows full control of mesh
ISTIO-SECURITY-2020-003March 3, 20201.4 to 1.4.5
7.5Two uncontrolled resource consumption and two incorrect access control vulnerabilities in Envoy
ISTIO-SECURITY-2020-002February 11, 20201.3 to 1.3.6
7.4Mixer policy check bypass caused by improperly accepting certain request headers
ISTIO-SECURITY-2020-001February 11, 20201.3 to 1.3.7
1.4 to 1.4.3
9.0Authentication Policy bypass
ISTIO-SECURITY-2019-007December 10, 20191.2 to 1.2.9
1.3 to 1.3.5
1.4 to 1.4.1
9.0Heap overflow and improper input validation in Envoy
ISTIO-SECURITY-2019-006November 7, 20191.3 to 1.3.4
7.5Denial of service
ISTIO-SECURITY-2019-005October 8, 20191.1 to 1.1.15
1.2 to 1.2.6
1.3 to 1.3.1
7.5Denial of service caused by the presence of numerous HTTP headers in client requests
Istio 1.2.4 sidecar image vulnerabilitySeptember 10, 20191.2 to 1.2.4
An erroneous 1.2.4 sidecar image was available due to a faulty release operation
ISTIO-SECURITY-2019-004August 13, 20191.1 to 1.1.12
1.2 to 1.2.3
7.5Multiple denial of service vulnerabilities related to HTTP2 support in Envoy
ISTIO-SECURITY-2019-003August 13, 20191.1 to 1.1.12
1.2 to 1.2.3
7.5Denial of service in regular expression parsing
ISTIO-SECURITY-2019-002June 28, 20191.0 to 1.0.8
1.1 to 1.1.9
1.2 to 1.2.1
7.5Denial of service affecting JWT access token parsing
ISTIO-SECURITY-2019-001May 28, 20191.1 to 1.1.6
8.9Incorrect access control